Need some help in Routing in Linux

Need some help in Routing in Linux

Post by GS » Sat, 25 Nov 2006 14:55:36



Guys:

I have some problem, can some Router expert give me a clue. we have two
different subnets, 192.168.1(ADSL-Router) and 192.168.2 (regular SOHO
router), this second router is connected to one of the port on first
router and assigned Second Routers wan port as static IP addr
(192.168.1.128), from 192.168.2 subnet, we can login to all machines in
192.168.1 subnet, whereas from 192.168.1 to 192.168.2, we can't login
or ping at all, I added a route on 192.168.1 subnet, stull I can't
access 2nd subnet machines, on first subnet, I added route using below
command, also route looklike, all machines on both subnets are Linux
machines only.


192.168.1.128


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.2.0     192.168.1.128   255.255.255.0   UG    0      0        0
eth0
192.168.1.0     *               255.255.255.0   U     0      0        0
eth0
169.254.0.0     *               255.255.0.0     U     0      0        0
eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0
eth0

192.168.1.1 is the gateway ip-address for 192.168.1 subnet, where as
192.168.2.254 is gateway ip-address for 192.168.2 subnet.

 
 
 

Need some help in Routing in Linux

Post by GS » Sat, 25 Nov 2006 14:58:22


In the Routing table in the above message, it shows entry for
"169.254.0 subnet", I have no idea why 169.254.0.0  is showing, I
didn't added any route for this entry.

 
 
 

Need some help in Routing in Linux

Post by MA » Sat, 25 Nov 2006 23:12:56



> from 192.168.2 subnet, we can login to all machines in
> 192.168.1 subnet, whereas from 192.168.1 to 192.168.2, we can't login
> or ping at all

Can you access 192.168.2.128 from first subnet and from 192.168.1.1?
What about firewall rules on both hosts?
 
 
 

Need some help in Routing in Linux

Post by Bill Marcu » Sun, 26 Nov 2006 00:11:43


On 23 Nov 2006 21:58:22 -0800, GS

> In the Routing table in the above message, it shows entry for
> "169.254.0 subnet", I have no idea why 169.254.0.0  is showing, I
> didn't added any route for this entry.

It's zeroconf, a protocol that lets PCs choose their own IP addresses
without a DHCP server.  If you don't use it you can uninstall it.

--
I'll see you... on the dark side of the moon...
                -- Pink Floyd

 
 
 

Need some help in Routing in Linux

Post by Tauno Voipi » Sun, 26 Nov 2006 00:39:57



> In the Routing table in the above message, it shows entry for
> "169.254.0 subnet", I have no idea why 169.254.0.0  is showing, I
> didn't added any route for this entry.

169.254.0.0/16 is a special network reserved to link-local addresses.

For details, Google for 'zeroconf'.

--

Tauno Voipio
tauno voipio (at) iki fi

 
 
 

Need some help in Routing in Linux

Post by GS » Sun, 26 Nov 2006 01:11:39


Actually it is 192.168.1.128, not 192.168.2.128. This 192.168.1.128 is
assigned for WAN port of second Router (the WAN port of Second Router
is connected to one of the switch port of the first Router, that port
was assigned as static IP addr using second router's web interface).
from 192.168.2 subnet, I can ssh/te;lnet/ftp to all machines in
192.168.1 subnet, where as viceversa is nothing is working. I don't
have any firewall enabled on second Router.

Thanks.

 
 
 

Need some help in Routing in Linux

Post by Moe Tr » Sun, 26 Nov 2006 04:58:14


On 23 Nov 2006, in the Usenet newsgroup comp.os.linux.networking, in article


>we have two different subnets, 192.168.1(ADSL-Router) and 192.168.2
>(regular SOHO router), this second router is connected to one of the port
>on first router and assigned Second Routers wan port as static IP addr
>(192.168.1.128), from 192.168.2 subnet, we can login to all machines in
>192.168.1 subnet, whereas from 192.168.1 to 192.168.2, we can't login
>or ping at all, I added a route on 192.168.1 subnet, stull I can't
>access 2nd subnet machines, on first subnet, I added route using below
>command, also route looklike, all machines on both subnets are Linux
>machines only.

I'm sure some of those commas are meant to be periods.   OK, all Linux
boxes.  Ignoring for the moment any routes to the world and the loopback
interface, your routing tables should show two routes.  On 192.168.1.0, it
would look like this:

Kernel IP routing table
Destination   Gateway        Genmask        Flags Metric Ref  Use  Iface
192.168.2.0   192.168.1.128  255.255.255.0  UG    0      0      0  eth0
192.168.1.0   *              255.255.255.0  U     0      0      0  eth0

while on 192.168.2.0 it should look like this:

Kernel IP routing table
Destination   Gateway        Genmask        Flags Metric Ref  Use  Iface
192.168.1.0   192.168.2.254  255.255.255.0  UG    0      0      0  eth0
192.168.2.0   *              255.255.255.0  U     0      0      0  eth0

This is to say that one network is local, and the other has to be reached
through a gateway.   To answer your followup question, the 169.254.0.0
route is for windoze ZeroConf, and can be ignored. If it bothers you,
there is a variable in your network configuration files that contains the
letters 'ZeroConf' that can be set to disable this. In RedHat/Fedora, this
is "NOZEROCONF=yes" in the /etc/sysconfig/network configuration file.

Now, you say

Quote:>from 192.168.2 subnet, we can login to all machines in 192.168.1 subnet,
>whereas from 192.168.1 to 192.168.2, we can't login or ping at all,

What happens when you try?  What is the exact error message?  If you can
login _FROM_ 192.168.2.x  _TO_ 192.168.1.x, then there is no networking
problem.   This is more likely a firewall or permissions issue, so look at
the output of 'netstat -atupn' and '/sbin/iptables -L' on the systems on
both networks.  How do they differ?

        Old guy

 
 
 

Need some help in Routing in Linux

Post by GS » Mon, 27 Nov 2006 03:25:37


Thanks for reply. I verfied iptables and route on both sides, I can see
all rules are flushed on both sides, also route looks Ok, I am keeping
those commands outputs below. onething I noticed is, I ran "tcpdump -i
eth0 port 22" on both machines to see what is going on with ssh (I am
doing ssh from 192.168.1 subnet to 192.168.2 subnet), the remote
machine in 192.168.2 subnet receives that packet, but no reply for that
request at all (I can see all packets from 192.168.1 subnet machine to
192.168.2 subnet machine only, no reply from 192.168.2 subnet machine
at all).

Once again, this 192.168.1.128 address is assigned to Second Router's
WAN port (that WAN port is connected to switch port of the first Router
and given static IP address for that port).

This output from 192.168.1 subnet machine
================================


Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.2.0     192.168.1.128   255.255.255.0   UG    0      0        0
eth0
192.168.1.0     *               255.255.255.0   U     0      0        0
eth0
169.254.0.0     *               255.255.0.0     U     0      0        0
eth0
default         192.168.1.1     0.0.0.0         UG    0      0        0
eth0


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

This output from 192.168.2 subnet machine
================================

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.2.0     *               255.255.255.0   U     0      0        0
eth0
192.168.1.0     192.168.2.254   255.255.255.0   UG    0      0        0
eth0
169.254.0.0     *               255.255.0.0     U     0      0        0
eth0
127.0.0.0       *               255.0.0.0       U     0      0        0
lo
default         192.168.2.254   0.0.0.0         UG    0      0        0
eth0


Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (0 references)
target     prot opt source               destination

 
 
 

Need some help in Routing in Linux

Post by Moe Tr » Tue, 28 Nov 2006 04:29:13


On 25 Nov 2006, in the Usenet newsgroup comp.os.linux.networking, in article


>onething I noticed is, I ran "tcpdump -i eth0 port 22" on both machines
>to see what is going on with ssh (I am doing ssh from 192.168.1 subnet
>to 192.168.2 subnet), the remote machine in 192.168.2 subnet receives
>that packet, but no reply for that request at all (I can see all packets
>from 192.168.1 subnet machine to 192.168.2 subnet machine only, no reply
>from 192.168.2 subnet machine at all).

On the 192.168.2.x system, two commands:

   netstat -tupan           Is anything listening to port 22?

   tcpdump -i eth0          Is it sending ICMP Type 3s or something?

Quote:>This output from 192.168.1 subnet machine

looks OK

Quote:>This output from 192.168.2 subnet machine

also looks OK, although the specific route to 192.168.1.0 isn't required as
this is the same as the default route.

        Old guy

 
 
 

Need some help in Routing in Linux

Post by GS » Tue, 28 Nov 2006 14:38:06


Old guy:

Thanks for your response, finally I looked into second Router web
interface, I found there is firewall is enabled, I made it disabled,
now I can do ssh to Second router's WAN port (ssh 192.168.1.128), then
it is redirecting to one of the machine in second subnet (192.168.2),
then from that machine I am doing ssh to other machine, when I directly
do ssh to one of the machine in 192.168.2 subnet from 192.168.1 subnet,
then it is not working. I don't know what is the issue here.

Thanks.

 
 
 

Need some help in Routing in Linux

Post by Moe Tr » Wed, 29 Nov 2006 04:44:47


On 26 Nov 2006, in the Usenet newsgroup comp.os.linux.networking, in article


>Thanks for your response, finally I looked into second Router web
>interface, I found there is firewall is enabled, I made it disabled,
>now I can do ssh to Second router's WAN port (ssh 192.168.1.128), then
>it is redirecting to one of the machine in second subnet (192.168.2),

If it's redirecting, then something is still wrong with the routing
tables OR the layout of the network.  What exactly does your layout
look like?  I'm under the impression it it

Internet
   |
first router
   |
192.168.1.x LAN
   |
192.168.1.128   Second router  192.168.2.254
                                     |
                               192.168.2.x LAN

As shown before, the 192.168.1.x _hosts_ should look like this:

Kernel IP routing table
Destination   Gateway        Genmask        Flags Metric Ref  Use  Iface
192.168.2.0   192.168.1.128  255.255.255.0  UG    0      0      0  eth0
192.168.1.0   *              255.255.255.0  U     0      0      0  eth0

(I'm ignoring the loopback and route to the world) and the _hosts_ one the
second LAN should look like this:

Kernel IP routing table
Destination   Gateway        Genmask        Flags Metric Ref  Use  Iface
192.168.1.0   192.168.2.254  255.255.255.0  UG    0      0      0  eth0
192.168.2.0   *              255.255.255.0  U     0      0      0  eth0

If the second router was a Linux box, the routing table on that would
look like this:

Kernel IP routing table
Destination   Gateway        Genmask        Flags Metric Ref  Use  Iface
192.168.1.0   *              255.255.255.0  U     0      0      0  eth0
192.168.2.0   *              255.255.255.0  U     0      0      0  eth1

Quote:>then from that machine I am doing ssh to other machine, when I directly
>do ssh to one of the machine in 192.168.2 subnet from 192.168.1 subnet,
>then it is not working. I don't know what is the issue here.

Run tcpdump on the client box on the 192.168.1 subnet  AND on the server
box on the 192.168.2 subnet. What do the packets say?  Can the client
reach the server (does the server see those packets)?  What response is
the server sending?  Does the client see that response?

        Old guy

 
 
 

Need some help in Routing in Linux

Post by GS » Wed, 29 Nov 2006 12:17:01


Old guy:

Thanks for your diagram, it is absolutely correct. actually I run
tcpdump on both sides, I can see response is sending by 192.168.2
subnet machine, but that packet is not reaching 192.168.1 subnet
machine. I am keeping some tcpdump below (timing is not correct, since
I don't have exact time's output), this is an output. I am not seeing
response packet received to 192.168.1.129, also I disabled firewall on
second router and tried, samething I got. atleast now I can do "ssh
192.168.1.128" and reach all the other machine in second subnet.


tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
08:29:37.244027 IP 192.168.1.129.47628 > 192.168.2.1.ssh: S
2002171283:2002171283(0) win 5840 <mss 1460,sackOK,timestamp 124696467
0,nop,wscale 2>
08:29:40.242870 IP 192.168.1.129.47628 > 192.168.2.1.ssh: S
2002171283:2002171283(0) win 5840 <mss 1460,sackOK,timestamp 124699467
0,nop,wscale 2>


21:28:00.910480 192.168.1.129.47628 > 192.168.2.1.ssh: S
1924612881:1924612881(0) win 5840 <mss 1460,sackOK,timestamp 2522694
0,nop,wscale 2>
21:28:00.910539 192.168.2.1.ssh > 192.168.1.129.47628: S
4213987684:4213987684(0) ack 1924612882 win 5792 <mss
1460,sackOK,timestamp 225595 2522694,nop,wscale 0> (DF)
21:28:00.912214 192.168.1.129.47628 > 192.168.2.1.ssh: R
1924612882:1924612882(0) win 0
21:28:03.908582 192.168.1.129.47628 > 192.168.2.1.ssh: S
1924612881:1924612881(0) win 5840 <mss 1460,sackOK,timestamp 2525694
0,nop,wscale 2>
21:28:03.908625 192.168.2.1.ssh > 192.168.1.129.47628: S
4216985784:4216985784(0) ack 1924612882 win 5792 <mss
1460,sackOK,timestamp 225894 2525694,nop,wscale 0> (DF)

 
 
 

Need some help in Routing in Linux

Post by Moe Tr » Thu, 30 Nov 2006 04:53:35


On 27 Nov 2006, in the Usenet newsgroup comp.os.linux.networking, in article


>Thanks for your diagram, it is absolutely correct.

OK - then this should be a pretty simple problem to solve.

Quote:>I am keeping some tcpdump below (timing is not correct, since I don't have
>exact time's output), this is an output.

This appears to be two completely different attempts. What changed between
the two, as they are different. Notice that while the port numbers are
consistent, the timestamp and sequence numbers differ considerably.

Quote:>08:29:37.244027 IP 192.168.1.129.47628 > 192.168.2.1.ssh: S

   2002171283:2002171283(0) win 5840 <mss 1460,sackOK,timestamp 124696467
   0,nop,wscale 2>
Quote:>08:29:40.242870 IP 192.168.1.129.47628 > 192.168.2.1.ssh: S

   2002171283:2002171283(0) win 5840 <mss 1460,sackOK,timestamp 124699467
   0,nop,wscale 2>

Connection attempt - no response

Quote:>21:28:00.910480 192.168.1.129.47628 > 192.168.2.1.ssh: S

   1924612881:1924612881(0) win 5840 <mss 1460,sackOK,timestamp 2522694
   0,nop,wscale 2>
Quote:>21:28:00.910539 192.168.2.1.ssh > 192.168.1.129.47628: S

   4213987684:4213987684(0) ack 1924612882 win 5792 <mss
   1460,sackOK,timestamp 225595 2522694,nop,wscale 0> (DF)

That's two parts of the three-way handshake, which is good

Quote:>21:28:00.912214 192.168.1.129.47628 > 192.168.2.1.ssh: R

   1924612882:1924612882(0) win 0

But the originating host says "Go away - I don't want to talk to you"
and then

Quote:>21:28:03.908582 192.168.1.129.47628 > 192.168.2.1.ssh: S

   1924612881:1924612881(0) win 5840 <mss 1460,sackOK,timestamp 2525694
   0,nop,wscale 2>
Quote:>21:28:03.908625 192.168.2.1.ssh > 192.168.1.129.47628: S

   4216985784:4216985784(0) ack 1924612882 win 5792 <mss
   1460,sackOK,timestamp 225894 2525694,nop,wscale 0> (DF)

Here is another two parts of a handshake.  Do you have a firewall on
192.168.1.129 that is blocking 192.168.2.1?

        Old guy

 
 
 

1. Need HELP to Log User Log-ins form the internet

Hi,

I've setup a FreeBSD 4.1.1-STABLE box to connect a network to the internet
with natd and ipfw firewall.
I've also setup the FreeBSD box to let teleworkers log in with FTP and
telnet.

Now I would like to log FTP and telnet Log-in's from teleworkers who connect
to the machine from the internet.
I woul like to see the time and IP numer from which users Log-in.

I have looked at the /var/log/messages file but this only shows SU Login's.

All help is greatly appriciated!

Luke

2. Dynamic Linking In Unix(SunOS 4.0.3.c)

3. Need Help on setting up getty for dial-ins

4. AIX 4.2 and Netscape 3.01

5. Sherlock linux plug-ins / sherlock for linux?

6. procps 3.1.3

7. Netscape helpers and plug-ins, also java help

8. Apache Search Engine?

9. HELP WITH DIAL INS

10. New HOWTO....HOWTO-Hose-RedHat-Installation (help!)

11. List of plug-ins for linux/netscape please!

12. Errors compiling Wingz 1.4 Add-ins (Linux 1.3.99, GCC 2.6)

13. Linux and Dial-ins (?)